1

Continuous Auditing technology adoption in leading internal audit organizations

Miklos A. Vasarhelyi, Professor, Rutgers University, email: miklosv@andromeda.rutgers.edu
Siripan Kuenkaikaew, Ph.D. Student, Rutgers University
James Littley, KPMG
Katie Williams, KPMG
Working Paper
Abstract: The umbrella of advanced technology
covers a range of techniques widely used in the U.S. to
provide strategic advantage in a very competitive business
environment. There is an enormous amount of
information contained within current-generation
information systems, some of which is even processed on
a real-time basis. More importantly, the same holds true
for actual business transactions. Having accurate and
reliable information is vital and advantageous to
businesses, especially in the wake of the recent recession.
Therefore, the need for ongoing, timely assurance of
information utilizing continuous auditing and continuous
control monitoring methodologies is becoming more
apparent. To that end, we have prepared and conducted
interviews with the internal audit departments of 9 leading
organizations to examine the status of technology
adoption, to evaluate the development of continuous
auditing, and to assess the use of continuous control
monitoring. We found that several companies in our study
already have employed some types of continuous auditing
and continuous control monitoring technologies, and
others are attempting to adopt more advanced audit
technologies. According to our audit maturity model, all
of the companies are between traditional audit stage and
emerging stage, and have not yet reached the continuous
audit stage. The interviews indicate a progressive
acceleration of the rate of technology adoption, despite
the presence of several obstacles.
1. Introduction
Continuous auditing (CA) is a methodology that
enables independent auditors to provide written assurance
on a subject matter using a series of auditors reports
issued simultaneously with, or a short period of time after,
the occurrence of events underlying the subject matter
(CICA/AICPA, 1999). This concept is not new; CA has
been explored in internal audit circles since the 1970s
(Heffes, 2006). The rate of adoption of continuous
auditing has gradually increased over the years; however,
most adoptions remain in the preliminary phrases. This
paper aims to study the status of technology and
continuous auditing technology adoption in leading U.S.
organizations.
By analyzing the drivers and barriers that affect the
adoption of continuous auditing and continuous control
monitoring in organizations, we will gain a better
understanding of the stage of development and usage of
the technology. The study will be beneficial to the
management of companies that either have already
adopted CA or are seeking to adopt CA technology. Our
findings will provide guidance to internal audit
departments tasked with making long-term CA decisions.
Technology adoption is by no means a new subject
for academic research. Karahanna et al. 1999 have
investigated Windows technology adoption across time.
Troshani and Doolin (2005) have studied the impact of
XBRL technology in Australian organizations.
Organizational characteristics on integrated services
digital networks (ISDN) adoption decision were examined
by Lai and Gynes in 1997. Additionally, some researchers
explored perceived importance of IT in audit applications
(Janvrin et al. 2008), and challenges of continuous audit,
focusing on the audit report lag identified by partners of a
Big 4 accounting firm (Searcy et al. 2002). However,
there is yet no research studying technology adoption in
internal audit or continuous audit departments.
The remainder of this paper is divided into six
sections. The following section provides an overview of
continuous auditing. The third section presents a review
of the prior literature, underlying theory and concepts for
interview guide development. Methodology is discussed
in the fourth section. Section five presents interview
results. Analysis of results is in section six, followed by
conclusions.
2. An overview of continuous auditing
The CICA/AICPA defines continuous auditing as the
generation of written assurance simultaneously or a short
period of time after the occurrence of the assured events.
To achieve that purpose, continuous auditing may have to
rely heavily on information technologies such as broad
bandwidth, web application server technology, web
scripting solutions and ubiquitous database management
systems with standard connectivity (Sarva 2006).
Since the Enron and WorldCom scandals,
management and executives are dramatically aware of the
presence and impact of control breach. Section 302 of the
Sarbanes-Oxley Act (SOX) mandates that the company
board should certify and approve financial reports on
quarterly basis. Under SOX section 404, management is
required to document and test the companys internal
controls over financial reporting. These processes are
costly and require substantial effort from relevant parties.
More relevant to our discussion, SOX section 409
requires a real-time disclosure on information or material
change on financial condition or operation of a company.
This requirement accelerates the reporting timeline in
section 13 of the Securities Exchange Act of 1934.
2
Timely monitoring that identifies irregular events is
necessary in order to comply with the regulations, and
cannot be fulfilled with traditional audit. Searcy and
Woodroof (2003) suggest that more frequent reporting
should reduce uncertainty and enhance investors
perceptions of a company, and that more frequent audit
should ensure data integrity. All of these SOX provisions
and post-SOX findings emphasize the importance of, and
have generated demand for, CA. It can satisfy the
impending need for real time audit and report, and can
enable both internal and external auditors to execute their
new functions. With technology-enabled continuous
auditing, internal auditors can improve assurance quality,
gaining the ability to audit 100 percent of transactions as
opposed to just samples (OReilly 2006).
In 2006, PricewaterhouseCoopers conducted their
State of the Internal Audit Profession study, surveying
392 companies, to capture the internal audit professions
view toward continuous auditing. They found that
81% of surveyed companies had a CA or CM
process in place or planned to develop one.
The percentage of companies that developed CA
systems increased significantly from 35% to
50% during 2005 to 2006.
56% of the respondents had both manual and
automated CA processes.
Most of the continuous auditing cycle is
quarterly.
These findings clearly support the usefulness of
continuous auditing. By expanding the scope and
frequency of audit processes, technology-enabled CA
provides the means for internal audit to strengthen
reporting and communication with senior management
and the audit committee, and delivers more effective
independent assurance to key stakeholders (PwC 2006).
3. Literature review
Prior literature extensively examines technology
adoption across diverse fields, including the studies of
continuous auditing under various perspectives. CA relies
heavily on existing IT; there is no exclusive technique or
process for companies. There are different alternatives of
technologies and several characteristics of organizations
that will determine what kind of technology they will
adopt, and to what degree. The question regarding
executives decisions is not whether or not they will adopt
CA, but when (Hall and Khan 2003).The key factors that
influence their decision should be explored.
Management support
Investment decisions usually come from top
management. Management support is critical for
successful implementation, especially for a project that
requires a large budget and affects operational processes.
Additionally, we must consider that under a CA/CM
framework, external auditors must have access to the
systems and data of auditees (Handscombe 2007). Such
access requires management approval. With a CA
approach, some internal audit processes may be changed;
for example, audits will occur more frequently, but fewer
manual procedures will be involved. In addition,
appropriate response from management to audit exception
reports is crucial. For instance, a system with integrated
automated audit modules may issue a warning report or
alert to both top management and the auditor, and
management must take appropriate action and/or have
appropriate responses (Sarva 2006). Management has a
crucial role in implementing continuous auditing
technology.
Employee knowledge
Hall and Khan (2003) posited that the adoption of a
new invention might be slow if the success of the
implementation depends upon the costly acquisition new
and complex skills. Even though some applications allow
users to easily execute their work without required
knowledge, users still need to have some basic
understanding for the applications to work efficiently. In
Troshani and Doolins 2005 XBRL adoption study, an
interviewee explained that it is easier to use a tool when
you understand the fundamental technology underneath
it. In addition, Arnold and Sutton (1998) found that there
is a high risk of failure if a user with insufficient
knowledge has to use intelligent decision aids. Failure in
this situation may lead to legal liability, and that prospect
could influence the management to decline the use of
technology to assist auditing.
As stated earlier, continuous auditing relies heavily
on advanced technology that assists an internal auditor in
investigating irregular transactions. Thus, it requires that
internal auditors as users have either some basic
knowledge or skills concerning the implemented tools, or
a capability to learn. Employee qualification is a critical
success factor for CA adoption.
Perceived cost
Among the studied characteristics that influence
technology adoption, one of the most important is cost. In
this context, cost is not the actual price of adoption, but
rather the perception of that cost to the adopting parties.
There are two main schools of thought on this issue. On
one hand, researchers believe that a decision to adopt new
technology depends on the cost perceived by the decision
makers. The adoption would thus take place when
perceived benefits exceed perceived costs (Hall and Khan
2003). Taylor and Murphy (2004) have suggested that
high set-up and ongoing costs could be barriers to the
implementation of technology. There also exists research
finding that cost is no longer a major hurdle for
continuous auditing adoption. There has been a dramatic
drop in the cost of implementation CA and in the
availability of support technology (Searcy and Woodroof
2001). A PwC 2006 survey found that only 12% of
companies cited cost as their primary obstacle to
adoption.
3
Regulation and compliance
In 2002, the Securities and Exchange Commission
(SEC) released regulation 33-8128, requiring public
companies to accelerate the submission of financial
reports. An annual report timeline is changed from 90
days to 60 days, and a quarterly report time-line is
changed from 45 days to 35 days. It is believed that the
timeliness of financial information provides more value to
the users of that information (Behn et al. 2006).
In a similar vein, Gray and Shadbegian (1998)
studied the effects of an environmental regulation on
investment decisions made in paper mills. Using census
data, they found that new plants located in the areas that
have rigorous regulations were more likely to adopt
production technology that causes less pollution.
SOX section 404 has a major impact on management
and auditors, since it involves internal controls quality
assurance and on-time reporting. As a result, many
executives are considering continuous auditing as a
solution to comply with the regulation (Handscombe
2007). A 2006 PwC survey confirmed that compliance
with SOX had been demanding, and the efforts of internal
auditor to comply with this act are significant. As a result,
the presence of demanding regulations and management
decision to adopt technology are expected to have a
positive relationship.
4. Methodology
Field research methodology has been employed.
Even though this kind of research may suffer from the
generalization problem, it provides potentially rich
information and detailed understanding (Clegg et al.,
1997). The study examines the status of continuous
auditing and monitoring adoption in leading edge
organizations through directed interviews with internal
auditors, internal audit management, and IT internal
auditors applying technology related to continuous
monitoring. The aim is to understand what makes a firm
an early adopter of CA/CM, the HR and process
implications to pursuing CA/CM, and the specific
technologies they use. We are interested in the strengths
and weaknesses of their approaches, the implementation
challenges they face, and how they are attempting to
overcome them.
A semi-structured interview provides insights for
identifying and understanding viewpoints, attitudes and
influences (Troshani and Doolin, 2005). Interviews were
conducted face-to-face through site visits. Interviews
lasted approximately 3 to 4 hours per company.
Interviews were tape-recorded when possible and
transcribed afterwards. Interviewees were selected from
the internal audit department. At least four employees
were interviewed per organization to ensure validity,
information completeness, and a range of points of view.
In addition, more than one interviewer conducted the
interviews (Troshani and Doolin, 2005), and analyzed the
results simultaneously.
5. Interview result
Due to space restrictions, the interview results of only
4 companies are presented here.
Consumer 1
Overview
The company is a decentralized and entrepreneurial
organization with $40 billion in sales, 60% in the United
States and Canada and another 40% in other countries
worldwide. The company operates in 90 countries, and
sells to 200 countries. Currently, they are implementing
SAP in the USA and other countries.
Human resources
There are 3 financial audit directors in the internal
audit department, one responsible for all US and Canada
branches, and the other two in charge of international
branches. All of the internal audit staff works within a
roll-in, roll-out scheme. They join the company roll
in for a few years and then leave roll out to join
another company to gain business experience. They may
re-join later with higher positions. The vice president of
internal audit reports directly to the CFO and the
Committee Chairman. The committee meets 5 times a
year. The IT audit team has 9 members with 4 managers
worldwide. Initially, IT worked manually and tested
normal IT general controls. Presently, the team does more
technical audit work such (e.g. networking, operating
system and database review); therefore, more tools are
deployed to facilitate these tasks. Sometimes, the team co-
sources with outside specialists to review the network
utilizing special tools.
There are 2 training sessions a year which bring all
team members together for one week to train both
technical and soft skills. The staff also gains knowledge
through on-the-job training and training from third party
experts. For example, if IT audit staff has a skill gap, they
co-source consultants from Big 4 audit firms to provide
coaching. However, the department still lacks an efficient
training model that can support new technology learning
and other necessary knowledge.
Process and technology
There are 2 noteworthy ongoing projects in the
internal audit department. These projects focus on the
adoption of audit and data analysis tools respectively. For
audit tools, they chose Approva BizRight to review
segregation of duties in SAP. A Big 4 firm has been hired
as a consultant on this project. When the project is
completed, it will enable automatic audit tasks to be
completed without travel. For data analysis, the internal
audit department used to utilize tools such as ACL and
Microsoft Access. However, it is looking for more
autonomous and efficient tools..
Normally, if internal audits initiate any idea for a
project, they have to prove that the idea will work. The
project is then transferred to a business unit, which will
formally develop and submit it to the related department.
4
In the internal audit vice presidents opinion, business
units should be responsible for key controls examination
as self monitoring. The internal audit department will
provide a self-evaluation questionnaire (SEQ) to evaluate
the controls.
In 2004, the internal audit team had to focus on SOX
and educated the IT organization to prepare documents
and controls to support SOX implementation. It took
about 2 years to complete this process. After that, the
Process Control & Security Team began a segregation of
duties and access control project. A steering committee
was set up for SAP projects that go on both domestically
and internationally. SAP projects implemented
internationally use a template approach to facilitate
implementation. They also have IDS Scheers ARIS tools
on top of SAP to provide business process flow, control
definitions, risk control documents, narrative, SAP
configurations and common control standards. Using this
tool, all controls are harmonized and standardized world-
wide.
With SAP implementation, most of the IT audit work
can be done automatically and centrally on an annual
basis. The company expects audit operations to be more
efficient and effective within 3 years. Approva BizRight
will be set up for segregation of duty review and
integrated in the SAP user access provisioning process.
The company has Approva Process Insight (PI) tools
executed internationally as a pilot, for automated testing
of some business process control. SGCC tools ITGC
version is used to do automated testing of the SAP
configuration setting.
Due to the fact that the company uses several
platforms such as Unix, AS/400, JDE, PeopleSoft and
Oracle, system compatibility and data extraction are
problems. The IT internal audit department is still
searching for tools suitable for data extraction and data
analysis. Generally, the team gets data from the process
owners or vendors, and then, processes the data using MS
Excel or Access. However, this task is often substituted
by manual controls outside SAP.
Future directions and challenges
In the future, internal audit teams want to see off-the-
shelf tools become more sustainable and affordable while
requiring less customization, especially those tools that
facilitate SAP audit, such as security and segregation of
duties. They believe that 70 percent of controls have the
potential to be tested remotely. If audit tasks are
automated, the cost of control will be reduced. Moreover,
data analysis will be done along with control monitoring.
Hi-tech
Overview
In 2002, the company began using SAP and building
a set of continuous monitoring tools. A key person came
on board as part of the team to develop these tools. This
person is a key success of the project. There is a
development group under the internal audit department,
which is not normal practice for the company. The audit
teams are in the process of legitimizing this process by
developing a separate working group.
The companys internal auditors believe that
continuous monitoring saves labor, facilitates processes,
and can help identifying solutions. For example, in the
previous year, the monitoring process facilitated the SOX
audit tasks, and the external auditors can now rely on the
internal auditors work.
The companys compliance vision is based on three
categories of risks:
IT Operations Risk (ITIL)
Application Risks (systems reliability)
Financial Process Risks (transaction processes)
The internal audit department implemented an IT
Operational & Application Risk dashboard, which
deploys the organizations control environment.
The most critical system within the company is SAP,
which covers and benchmarks 75 percent of the controls.
Other systems include PeopleSoft, Baan, AS/400 and
JDE. Besides the KPI reporting tool, the internal auditors
use MindMapper, ACL, SQL, Risk Assessment and
Controls Evaluation (RACE), which has been used for 4-5
years to track audit engagements and working papers. The
company has an enterprise data warehouse, containing
financial information, but use is limited due to
reconciliation issues. In addition, various legacy
applications exist for certain applications, such as costing,
procurement, pricing, and revenue recognition.
Approximately 60 applications are relevant to SOX
compliance.
People-related
There are approximately 30 internal auditors in the
head office and about 125 people worldwide. The internal
audit department reports directly to the vice president.
Approximately 25 percent of the internal auditors and 40
percent of the IT auditors are career auditors. Most have
external audit experience before joining the company. The
enterprise compliance group focuses on monitoring and
periodic independent evaluation for SOX. However, this
group is not included under the internal audit department.
Process and technology
Historically, the company has used Bindview to send
information to external auditors. Now, the data is loaded
in Excel and uses color coding, which requires much
manual intervention.
With the emergence of SOX requirements, the
company desires more efficient operations, developing an
audit benchmark and KPI tool for the internal audit
department. The department places much emphasis on
both technology and methodology. It also developed a
continuous monitoring tool and solution to assist with
SOX compliance. The KPI tool utilizes both leading
indicators, such as percentage of system uptime, and
lagging indicators, such as number of incident tickets. The
monitoring tool has the ability to generate graphs that
5
show trends, and can compare with other t-code. The
internal audit team generate summary change reports, KPI
reports, and many other SAP review documents, within
the framework of the in-house system.With the in-house
system, the internal audit department.
Even though many SAP configurations are
customized, standard controls, such as three-way
matching, remain. The KPI reporting system used by the
auditors is patent protected, and has been used with a
financial services client . Data for KPI reports are
captured by automated extraction. The KPI benchmark
report is generated monthly and compares operations
from two periods. Both changed and unchanged controls
are shown in this report, and it is divided into sections for
easy review. There is a column that links to working
papers as well. However, there is no alarm set presently.
This tool is built to avoid requiring direct access to data
when an internal auditor needs information for analysis,
as was the case in past years.
There are 25 SAP-based systems installed across the
organization. Each instance is managed by a different
SAP team, and data extraction is done on a monthly basis
using in-house software built on top of the SAP system.
Data calculation is then run via the ABAP protocol, and
reports are generated. The system can keep aggregated
data for at least 13 months and detailed data for 3 months.
Only employees responsible for a function related to SAP
are granted an SAP user ID. A segregation of duty report
can be pulled from the system for review. Segregation of
duty rules are either basic, such as those based on t-code
and activity code, or based on complex rule tables. Rule
changes must be approved by authorized personnel. The
company has a control baseline which is re-validated
periodically and can be compared to previous periods to
assess any change occurred.
Future directions
The most important challenges of the implementation
of this continuous control monitoring framework are audit
conservatives, who do not want to change; changes in
leadership roles; management buy-in; visibility among the
management team; and relationship management.
I nsurance
Overview
The internal audit department focuses on integrated
audit and controls embedded in applications, both
automated and manual. During this year, the emphasis is
on the audit automation, ACL, SQL, matching data, using
different tools and professional analysis. Next year,
internal audit management plans for more continuous
auditing. Although they expect to work on both
automated and manual controls, they will focus more on
automation.
People-related
The companys turnover rate is low compared to its
peers. There are 185 employees in the Internal Audit
department, 50 of whom are international, and 22 of
whom are IT auditors. The internal audit department is
organized by lines of business. There is a specific internal
audit group for each line of business such as finance, and
IT. The career path is individualized; for example, 25% of
the staff wants to remain at the company for no more than
2 years and then move to a new job, and 30% want to
practice and improve their skills. Normally, the company
prefers to hire experienced candidates to the internal audit
team.
Training is provided to each employee according to
his/her development plan, which is discussed with the
manager, and also based on previous experience.
Therefore, there is no standard or required training
scheme. Samples of training provided are internal controls
, analytical concept, ACL, and SQL. Talent train is a
program that rotates people within and outside the internal
audit department with business departments. In the
management opinion, analytical skill is the most difficult
to train.
Process and technology
The internal audit department has made an effort to
automate certain tasks, especially those that are repetitive
and high-volume. However, there are still many
operations that have yet to be automated, e.g. claim
payment processing. The company has several legacy
systems that have been in place for many years.
The ACL tool has been used for 10 years and training
for this tool is provided to staff across the organization.
Financial auditors at the company have used ACL for a
long time. Other software is utilized for certain tasks,
such as SQL and SAS for analytical procedures, Paisley,
for the audit test plan, and Galileo, a web-based workflow
tool, for working papers. Although Galileo has been used
for 2 years, the company is planning to change to Paisley
GRC.
The IT department is responsible for data extraction,
which is done in a secure environment. The challenge is
to get the data on time, which depends on task
complexity. In addition, some data sets are too large to be
efficiently run on laptop computers. The company has
frequent reviews, and a very specific audit scope. Even
though most of the current reviews are manually
performed, the future goal is to automate reviews,
increasing coverage, decreasing time spent.
Besides internal audit, there are other departments
with responsibility related to company internal control
and processes, including SOX audit, fraud, compliance,
privacy, enterprise risk management and IT risk
management. Each unit reports to its head and tasks
among different departments often overlap. The company
is implementing GRC in the expectation that it will
facilitate information sharing between departments. The
IT risk management group is responsible for SOX testing,
and reports to the IT department. This group performs risk
assessment together with IT audit by agreeing on
processes, control, and test plans.
Future directions
6
Management wants to increase the utilization of
analytical process, and would like internal auditors to be
able to analyze business processes more concretely. The
direction of the internal audit department is to maximize
automation for the audit task by piloting more strategic
analytic work. The size of the audit organization may be
reduced with more automated audit procedures.
Bank 1
Overview
In the past, the system audit was outsourced to a Big
4 audit firm. Eventually, the company set up an IT
infrastructure audit department, hiring experienced staff
with Big 4 experience.. Eventually, the team expanded the
scope of their mission to include application audits. The
internal audit staff report to the audit manager. The
company implemented continuous auditing in 2000.
People-related
There are 14 employees in the continuous auditing
unit, including 2 managers. The company plans to hire an
additional superintendent in the future. Generally, the
company prefers to hire staff with banking experience.
The company provides a variety of training for staff,
including IT Infrastructure Library (ITIL) foundations,
COBIT, IT governance, IT infrastructure, Certified
Information System Auditor (CISA), SAS, Resource
Access Control Facility (RACF), bank accounting, risk
management, ACL, and audit foundation.Additionally,
the company coordinates with the university to arrange
MBA courses specially designed for the banking industry.
The company also sends its staff from several units, such
as internal audit, financial audit, risk management, fraud
prevention, IT, to attend these MBA courses.
Process and technology
The company has been implementing continuous
auditing for almost 10 years, starting with the retail audit
area of each branch by constructing routines in the
mainframe, and monitoring iterative processes. The
internal audit department has to issue a control risk
assessment report to top management.
The IT group has access to approximately 1,500
systems. The company monitors over 5 million customer
accounts on a daily basis, and the system sends out about
6 thousand alerts a month. Internal auditors analyze the
alarm and inform management. Continuous auditing has
been implemented for the business processes that are
supported by IT systems which are difficult to manually
audit. The implementation of continuous auditing also
helps improving the timeliness and scope of internal
control review.
Data extraction is done by the IT group, which has a
service level agreement (SLA) with the internal audit
group to provide data upon request within an agreed
timeframe.
Future directions
The company plans to adopt a new,integrated IT
infrastructure for continuous monitoring. Currently, it
uses Focal software to extract reports and data, transforms
data into a text file, and works with MS Access and
Excel.
6. Analysis of results
The companies in this study are leading organizations
in different industries. Some sport advanced applications
of continuous auditing and continuous monitoring
technology, while some are in the preliminary phase of
implementation. We hypothesized in the literature review
section that adoption of technology and level of access to
data for auditing need support from management, internal
auditors need sufficient knowledge and skills to
efficiently work with the audit-aid tools, and the
perceived cost of adoption should have some effects on
the decisions of companies.
Management support
The continuous auditing and continuous monitoring
projects require support from management, especially in
the areas of access to data and implementation of audit-
aid technology. Interviewees reported that internal
auditors do not have direct access to the data. In some
companies, they need approval from the data owner or
management before gaining access and, even then, access
is time-limited. Normally, data extraction is done by the
IT division according to the auditors request. In
companies that have some level of continuous auditing
and continuous monitoring systems, most of the data are
automatically extracted without human intervention and
analyzed by internal auditors. Therefore, data integrity
and security is maintained.
For project management, the audit-aid technology
implementation is initiated and supported by the head of
the internal audit department or higher level management.
Currently, an internal audit department of each company
is responsible for control monitoring, including
monitoring exceptional reports and alarms from the
system. If there is any irregular or critical alarm,
management will be notified.
Employee knowledge
The continuous auditing and continuous monitoring
involve IT to a large degree. Therefore, it is necessary that
employees have the technological skills and knowledge
required for their work. Some companies have specific
software tools that require specialized training, and all of
the companies utilize more than one tool. Each company
therefore must (and does) provide different types of
training to its employees. Some companies have
developed standard training courses required to all the
employees. Another approach is to offer customized
training where the courses to be attended depend on
specific needs. One of the companies also cooperates with
a university to provide the MBA program necessary for
their staff. Training covers general audit knowledge (e.g.
7
internal control, audit methodology, etc.) as well as
specific technical knowledge such as data analytic tools,
work flow and working paper instruments. In addition,
most of the companies prefer experienced staff to join
their organization.
Several other trends were discovered over the course
of our interviews. For instance, various companies have a
staff rotation program; some of the internal auditors will
rotate in and out from the internal audit department
various business departments. We believe that this
program will have an effect on the internal audit staffs
breadth of knowledge and skill. Furthermore, all of the
interviewed companies have a number of audit-like
organizations which monitor internal controls in different
areas. However, some of the audit areas overlap, and the
results of the review are not efficiently shared among
them.
Perceived cost
Perceived cost is the perception of managers on the
setup and ongoing costs of continuous auditing and
continuous monitoring implementation. From the
interviews with internal audit department managers, we
found that cost was not identified as a major barrier for
the adoption of technology. The internal audit
management departments of some companies consider
continuous auditing and continuous monitoring important
components of advanced audit processes and frequent up-
to-date reporting and would like to invest in this
technology. For example, some hi-tech and bank
organizations have developed specific tools for
continuous monitoring and have employed developers to
support the continual improvement of internal audit.
Regulation and compliance
All of the interviewed companies have to comply
with SOX, and they have specific divisions to monitor
and ensure SOX compliance. There is no explicit
relationship between continuous auditing/monitoring
implementation and regulatory compliance. However, this
technology has tremendous potential to fulfill SOX
requirements. SOX review is very detailed, complicated
and time consuming, and interviewees reported that
CA/CM facilitates the review activities and reduces the
time allocated to SOX compliance. For example, the audit
department of one company developed a monitoring tool
that now reviews the companys ERP system for both
general internal control purposes and SOX compliance.
This tool helps internal auditors work efficiently and
supports comparison and benchmarking of the internal
control components. External auditors are therefore able
to rely on the work of internal auditors, reducing time
effort required from both parties.
The assessment and the audit maturity model
The audit maturity model (Table 1) was developed to
assess the level of continuous auditing and continuous
control monitoring adoption in an organization. This
model classifies the audit evolution into 4 stages, which
are traditional audit, emerging, maturing, and continuous
audit, considering 7 domains: objective, approach, IT/data
access, audit automation, audit and management sharing,
management of audit functions, and analytic methods.
Objective: A level of internal audit organization
providing financial reports and monitoring
internal controls.
Approach: Method of audit review, frequency
and technique.
IT/Data access: Level and frequency of access to
the information system and data.
Audit automation: The automated level of
auditing, usage of technology to assist the audit
review cycle.
Audit and management sharing: An internal
audit department shares systems and resources
with management. They have access and utilize
the system together.
Management of audit function: Degree of
cooperation between financial audit and IT audit,
collaboration with other compliance
departments.
Analytic methods: Level of analytical procedure
that an internal auditor performs, techniques, and
details.
Table 1: The audit maturity model
Stage 1 Stage 2 Stage 3 Stage 4
Traditional audit Emerging Maturing Continuous audit
Objectives Assurance on the
financial reports
presented by
management
Effective control
monitoring
Verification of the
quality of controls and
operational results
Improvements in the
quality of data
Creation of a critical
meta-control structure
Approach Traditional
interim and
year-end audits
Traditional approach
with some
key monitoring
processes
Usage of alarms as
evidence
Continuous control
monitoring
Audit by exception
IT/Data access Case=by-case Repeating key Systematic monitoring Complete data access
8
Stage 1 Stage 2 Stage 3 Stage 4
Traditional audit Emerging Maturing Continuous audit
basis
Data is captured
during
the audit process
extractions on cycles of processes with data
capture
Audit data warehouse,
production, finance,
benchmarking and
error history
Audit
automation
Manual
processes &
separate IT audit
Audit management
software
Work paper
preparation software
Automated monitoring
module
Alarm and follow-up
process
Continuous monitoring
and immediate
response
Most of audit automated
Audit and
management
sharing
Independent and
adversarial
Independent with
some core monitoring
shared
Shared systems and
resources with
natural process
synergies
Purposeful Parallel
systems and common
infrastructures
Management of
audit function
Financial
organization
supervises audit
and Matrix to
Board of
Directors
Some degree of
coordination between
the areas of risk,
auditing and compliance
IT audit works
independently

IA and IT audit
coordinate risk
management and share
automatic audit
processes
Auditing links
financial data to
operational processes

Centralized and integrated
with risk management,
compliance and SOX/ layer
with external audit.
Analytical
methods
Financial ratios Financial ratios at
sector level/account
level
KPI level monitoring
Structural continuity
equations
Monitoring at
transaction level

Corporate models of
the main sectors of the
business
Early warning system

The current level of a continuous auditing and
continuous monitoring of most of the companies are
classified between stage 1 and 2 of the model. There is
tremendous opportunity for the companies to progress
toward the higher stages. Companies can deploy more
automated tools to support an audit review process,
enhance analytical procedures, invest in IT and personnel,
and improve the level of cooperation between each unit.
Graph 1: The current level of the adoption of a continuous auditing and continuous monitoring of
the companies


Traditional Emerging Maturing Continuous
9
7. Conclusion
With the emergence of a continuous auditing and
continuous monitoring methodology, an ongoing, timely
review of financial data and internal control of the
company is enhanced. From interviews with internal audit
managers of leading organizations, we gained an
understanding of the status of technology adoption and
development in this area. There are some factors that
affect the adoption, including management support,
perceived costs, regulatory environment, and employee
knowledge. To perform an audit review and data analysis
efficiently, an internal auditor needs a certain level of
information system and data access either via application
programs or via extractions by the IT department.
Generally, internal auditors are responsible for monitoring
the internal controls with a continuous control monitoring
technology, and reporting any exception to management.
Thus, next-generation internal auditors will require some
knowledge about the technology being used and current
audit practice. For that purpose, training is provided to
support their work and enhance their ability. Continuous
auditing and continuous control monitoring technology
also facilitate SOX compliance. Field work and iterative
tasks can be reduced. All of the internal audit departments
have tools and audit automation to support their work, e.g.
electronic working papers and data analysis tools. Some
companies are more advanced and have a continuous
monitoring tool and an alarm system.
Based on the result of the interviews, the companies
can be classified according to the audit maturity model to
evaluate the status of continuous auditing and continuous
monitoring. Most of them are ranked between stage 1,
traditional audit, and stage 2, emerging. This means that
although they have certain level of CA/CM, they are still
in the initial phrase, and there is opportunity for
development in the future. This result contrasts strikingly
with the PwC survey, which states that a large number of
companies have continuous auditing in place.
Small sample size limits the generalizability of this study.
Our research can be extended in two ways. First, a
structural survey research can be conducted to get more
details on the characteristics and behavior of technology
adoption by organizations. Additional measurements can
be included, and the questionnaire method will result in a
larger sample size than the interview technique we
employed. Second, the a follow-up interview with the
organizations would provide useful time-series data
regarding technology adoption trends and progress.
Appendix A
Continuous Monitoring / Auditing site visit
introductory questions:
Each individual best practice organization data
gathering should begin with the following general
questions and followed by questions regarding people,
process, technology, and future directions. To be used as
appropriate, the APPENDIX provides additional detailed
questions regarding CA/CM usage of specific tools.
1. Overview questions:
a. How would you describe the current state of
continuous monitoring / auditing in your
organization? Discuss CM and CA separately.
b. How are continuous monitoring / auditing
techniques used in the organization?
c. What specific applications [i.e. combination of
people, process and technology] have been
implemented?
d. Has the focus been on controls or transaction
monitoring (or both)?
2. People-related questions:
a. How much attention does management pay to
exception reporting from the CA/CM tools?
b. Identify the resources required by the
organization to utilize CA/CM and the demands
imposed on the clients human and IT resources.
c. How would you describe the mix of skills
necessary for a successful CM and CA
capability? How much effort does it take to
obtain/change this skills base to accommodate
change?
d. Training-related questions:
i. Were personnel in the organization trained
in the use or interpretation of CA/CM?
From what functions?
ii. What kind of training was provided and by
whom?
iii. Evaluation of the CA/CM training:
e. Was the amount of time assigned to training
sufficient?
f. What difficulties were encountered in the
training process? How were they overcome?
3. Process-related questions:
a. To what extent is the CA/CM system used by
operational managers for monitoring of business
processes?
b. How should existing audit/control procedures be
modified to increase the utilization of technology
in monitoring / audit (e.g. timing, nature or
extent)?
c. Did regulation and compliance affect the
decision to adopt CA/CM? (e.g. SOX 404)
d. Has CA/CM had an impact on Control Self
Assessment (CSA) (if used)? If so, how?
e. Does the implementation of CA/CM aid the
organizations compliance efforts as expected?
4. Technology-related questions:
a. What is the degree of automation in the CA/CM
process? What percentage of prior audit
procedures have been switched from manual to
automated?
b. How did the organization select the technology
to adopt? What criteria were used and who had
the final authorization authority?
10
c. Discuss the quality of the data extracted from the
companys ERP, legacy or data warehouse
ready to be used by the CA/CM tools? How
have these improved? Plans for further
improvement?
5. Future directions:
a. What is planned over the next two years to
expand or improve in either the monitoring or
auditing arenas?
b. To what extent does the current audit
methodology and guidance inhibit a fuller
adoption of CA/CM tools? Same question re
monitoring?
c. What are the barriers to more widespread use of
CA/CM technology?
Additional detailed questions regarding CA/CM
usage to be used with interviews around
specific projects or applications.
1. Usage characteristics:
a. What kinds of transactions can be analyzed using
CA/CM?
b. Is data extraction done in real time or on an
extract and analyze basis?
c. Were the CA/CM extraction and analysis tools
run by specialists or by the audit team?
2. Experience with the use of CA/CM:
a. How do you ensure data integrity?
b. How has CA/CM improved the quality and
reliability of the evidence obtained?
3. What barriers were there in using the CA/CM tools
effectively and efficiently?
4. Data extraction
a. How easy was it to extract the data from the
system? What tools were used in data extraction?
b. If it was difficult to extract the data, describe the
difficulties encountered.
c. How were the accuracy, completeness and
validity of the extracted data verified?
References
Arnold, V., and S. Sutton. 1998. The Theory of Technology
Dominance: Understanding the impact of intelligent decisions
aids on decision makers judgments. Advances in Accounting
Behavioral Research 1: 175-194.
Behn, B. K., D. L. Searcy, J.B. Woodroof. 2006. A Within Firm
Analysis of Current and Expected Future Audit Lag
Determinants. Journal of Information Systems 20 (1): 65-86.
Canadian Institute of Chartered Accountants. 1999. Research
Report on Continuous Auditing. Toronto, Canada.
Gray, W.B., and R.J. Shadbegian. 1998. Environmental
Regulation, Investment Timing, and Technology Choice.
Journal of Industrial Economics 46(2): 235-256.
Karahanna, E., S.W. Detmar, and N.L. Chervany. 1999.
Information Technology Adoption Across Time: A Cross-
Sectional Comparison of Pre- Adoption and Post-Adoption
Beliefs. MIS Quarterly 23 (2): 183-213.
Hall, B.H., and B. Khan. 2003. Adoption of New Technology.
University of California, Berkeley working papers (May).
Handscombe, K. 2007. Continuous Auditing From a Practical
Perspective. Information Systems Control journal 2.
Heffes, E.M. 2006. Theory to practice: continuous auditing
gains. Financial Executive:17-18.
Janvrin, D., J. Bierstaker, and J.D. Lowe. 2008. An Examination
of Audit Information
Technology Use and Perceived Importance. Accounting
Horizons 22 (1): 1-21.
Lai, V.S., and J.L. Guynes. 1997. An Assessment of the
Influence of Organizational
Characteristics on Information Technology Adoption Decision:
A Discriminative Approach. IEEE Transactions on
Engineering Management 44 (2).
OReilly, A. 2006. Continuous Auditing: Wave of the future?.
Corporate Board (September): 24-26.
PricewaterhouseCoopers. 2006.State of the internal audit
profession study: Continuous auditing gains momentum.
PricewaterhouseCoopers.
Sarva, S. 2006. Continuous Auditing Through Leveraging
Technology. Information System Control Journal 2.
Searcy, D., and J. Woodroof. 2001. Continuous Audit
Implications of Internet Technology: Triggering Agents Over
the Web in the Domain of Debt Covenant Compliance.
Proceedings of the 34th Hawaii International Conference on
System Sciences.

Searcy, D., and J. Woodroof. 2003. Continuous Auditing:
Leveraging Technology. The CPA journal (May).
Searcy, D., J. Woodroof, and B. Behn. 2002. Continuous Audit:
The Motivations, Benefits, Problems, and Challenges
Identified by Partners of a Big 4 Accounting Firm.
Proceedings of the 36th Hawaii International Conference on
System Sciences (HICSS03).
Taylor, M., and A. Murphy. 2004. SMEs and E-business.
Journal of Small Business and Enterprise Development 11
(3): 280-289.
Troshani, I., and B. Doolin. 2005. Drivers and Inhibitors
Impacting Technology Adoption: A Qualitative Investigation
into the Australian Experience with XBRL. 18th Bled
eConference eIntegration in Action, Bled, Slovenia.